Windows Flaw Leaves Certificates Vulnerable

A serious flaw in the ActiveX control that handles Web-based certificate enrollments in all versions of Windows enables an attacker to corrupt any certificate stored on a users machine.

By exploiting this vulnerability, an intruder could access and corrupt a users trusted root certificates, EFS (encrypted file system) encryption certificates and e-mail signing certificates, among others. The vulnerability affects all versions of Microsoft Corp.s operating system back to Windows 98.

The Certificate Enrollment Control is used by Windows to submit PKCS (public key cryptography standard) #10 certificate requests and then store the certs in the users local certificate store. In order to invoke the flawed control, an attacker would either have to entice a user to visit a Web site with the exploit code on it or to open an HTML mail message containing the malicious Web page.

Microsoft has issued a patch for each individual version of Windows, which contains a new release of the vulnerable control. However, anyone who operates a Web site that uses the control will have to make some modifications to all of their Web applications in order to use the new control.

The patch also contains a new version of the SmartCard Enrollment Control, which has a similar flaw. That flawed control is included in Windows 2000 and XP only.